Wrong conviction and bad habits
Before the introduction of the Masque vulnerability and related attacks, I desire to contextualize my analysis. The security community is assisting with the rapid rise in the number of attacks against mobile platforms.
The situation appears particularly worrying for the Android platform, for which the number of malware families detected in the last few months has grown exponentially. The principal security firms also observed an increasingly sophisticated level of the attacks, and the availability of the source code of several malware in the underground is creating the conditions for a rapid diffusion of the malicious agent.
The situation appears slightly better for Apple iOS devices, for which new malware families like WireLurker, AdThief and Zorenium recently have been detected.
The principal problems for Apple devices are originated by bad habits of the users, who jailbreak their devices to install mobile apps from untrusted sources, opening the door to malicious codes.
Another menace to the security of Apple devices is represented by the lack of adoption of security measures by their users, who share the wrong conviction that Apple systems are immune from malware and other cyber threats.
The Masque attack
The news of these days is the disclosure of a new critical vulnerability that affects recent versions of the Apple iOS, including iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta. The disclosure arrives a few days after the detection in the wild of a new strain of malware, dubbed WireLurker, made by security researchers at Palo Alto Networks.
The researchers at FireEye who first detected the vulnerability explained that an attacker exploiting the Masque flaw could replace enterprise mobile apps, even if digitally signed, overwriting them with malicious apps.
“FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier,” wroteTao Wei, a senior staff research scientist at FireEye, in a blog post.
The Masque vulnerability allows a bad actor to swap out a legitimate iOS app from the devices with a malicious one, and as revealed by the researcher, the attack is effective against both jailbroken and non-jailbroken devices.
The Masque attack can be run remotely. The attacker has to share a malicious link with the victims via an SMS, email message, or tricking them to visit a page containing a malicious web link.
Tao Wei explained that Apple’s enterprise provisioning feature does not analyze digital certificates for apps given identical bundle identifiers. The Enterprise provisioning service implemented by Apple allows enterprise iOS developers to develop and distribute iOS apps without having to upload the app to Apple.
“This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier,” Tao Wei said. “An attacker can leverage this vulnerability both through wireless networks and USB … iOS doesn’t check certificates during updating … Attackers can replace the old app with a fake app … Currently there is not MDM API to get the certificate information for each app … Thus, it is difficult for the MDM to detect such attacks.”
The blog post published by FireEye includes a video proof of concept of the Masque attack (https://www.youtube.com/watch?v=3VEQ-bJUhPw). The researchers have exploited the vulnerability to replace a legitimate Gmail app, downloaded from the official Apple App Store, with a malicious version of the same app that is able to steal users’ information, including the victim’s messages.
Figure 1 – The Masque attack – Video POC from Fire Eye
The attack chain starts with an SMS sent to the victims that asks them to download a new version of a legitimate app New Flappy Bird, which used the bundle identifier associated to the “com.google.Gmail”.
Once the malicious application is installed on the mobile phone, it replaces the original Gmail app with the bogus one used to spy on the victims.
“In one of our experiments, we used an in-house app with a bundle identifier ‘com.google.Gmail’ with a title ‘New Flappy Bird’. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone,” states the post. “By using the Masque attack, attackers can get all your existing sensitive data on your iPhone,” Wei added.
Figure 2 – The Masque attack – demo from FireEye
The impact of the Masque vulnerability is serious. As explained by the experts, a threat actor would be able to mimic the original app to steal the user’s credentials for any kind of service, including signed mobile banking apps.
Another element of concern for the experts at FireEye is that an attacker could gain access to the user data stored in the legitimate app’s directory. The attack allows the replacement of the legitimate app, but the data it has used remains on the device and includes local data caches.
“Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with a malware that has an identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly,” reports the blog.
Unfortunately, the exploitation of the Masque vulnerability is very simple, as explained by Wei.
“It is a very powerful [vulnerability], but at the same time, it is very easy to exploit,” Wei said. “It can make the enterprise provisioning attack more powerful and more coverage over the victim. It’s easy to exploit and that’s why we are so concerned and why we think users should be warned.”
A few weeks ago, security experts at Palo Alto Networks detected a new strain of malware, dubbed WireLurker. It is a malicious code that is able to infect IOS devices, Apple iPhone and iPads, stealing user data and transferring it to the central servers.
The researchers that uncovered the WireLurker explained it exhibited behavior that had never been seen before: malware targeting Apple mobile devices. The malicious code initially infects the user host (desktop or laptop), which downloaded it from the web, then it remains stealth waiting for an Apple device to be connected via USB.
Once the user connects its iOS device to the machine infected by WireLurker, the malware scans the mobile to analyzing the installed applications. If WireLurker finds that a target app is present, it copies the app from the mobile device to the machine, infects its binary and then installs it again on the mobile unit.
The experts at Palo Alto Networks that discovered WireLurker sustain that the instances detected only collect data from the compromised devices, but to date, no other malicious activity has been observed.
The company estimates that several hundred thousand Apple users have been already infected by WireLurker, and experts fear a rapid diffusion of the infection.
“WireLurker was used to trojanize 467 OS X applications in the Maiyadi App Store, a third-party Mac application store in China,” Palo Alto Networks’ researcher Claud Xiao said. “In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.”
The following graph shows detections of the WireLurker malware made by experts at Kaspersky Lab on OSX.
Figure 3 – WireLurker detections
The experts at Palo Alto Networks consider the WireLurker malware as an innovative malware:
“We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:
- Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
- It is only the second known malware family that attacks iOS devices through OS X via USB
- It is the first malware to automate generation of malicious iOS applications, through binary file replacement
- It is the first known malware that can infect installed iOS applications similar to a traditional virus
- It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.”
Apple mobile devices are becoming a privileged target of criminal gangs due to the large number of devices worldwide and the lack of security measures installed by the Apple users.
According to the researchers, the infection was spread initially through several hundred apps offered via Maiyadi, a third-party Chinese software website.
“WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users,” states the post.
WireLurker primarily targets Apple devices that have been “jailbroken” and that result in being vulnerable because users had disabled some security features to run certain apps.
Researchers also detected a strain of WireLurker that targets iPhones and carries an Apple digital certificate, but that version needs user approval to be executed. The WireLurker samples detected also target popular Chinese apps like Taobao, Alipay or Meitu.
Another interesting discovery made by the experts from the Alienvault security firm is the existence of a WireLurker version that targets Win32 machines. The malware analysts detected a file with the name:
万能视频播放器 2.21.exe with the md5: fb4756b924c5943cdb73f5aec0cb7b14
Figure 4 -Win32 WireLurker module
The file was compiled in March 2014. The Win32 application allows the installation of the malicious iOS payload to the victim’s iOS device.
Apple has blocked the apps that could be used by threat actors to propagate the infection. Meanwhile, Palo Alto Networks has released a detector tool for users who wants to check if their Mac or Apple mobile devices are infected.
Countermeasures against the Masque attacks
In order to avoid falling victim of the Masque attacks, security experts suggest the adoption of the following simple practices:
- Never download mobile apps by clicking on a link received via unsolicited email, text messages, or accessible from the content of a web page.
- Do not install mobile apps offered on pop-ups from third-party websites.
- If the mobile device displays an alert about an “Untrusted App Developer,” click “Don’t Trust” on the alert and uninstall the application.
The Comparison: WireLurker vs Masque
As explained by Tao Wei from FireEye, the WireLurker attack is considered the only case of attack observed in the wild that is exploiting the Masque vulnerability, up until now.
Experts at FireEye analyzing WireLurker discovered that it partially utilizes the Masque attack through USB. The experts sustain that the Masque attacks can pose a much bigger threat than WireLurker due to the ability of the Masque scheme to completely replace authentic apps and access the original app’s local data.
“After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threat than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with a malware that has an identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly,” states the blog post published by FireEye.
The recent attacks demonstrate the great interest of cybercrime in the exploitation of mobile platforms. As explained in the post, wrong habits are the principal cause of exposure to the cyber threats.
Downloading applications from unofficial store, such as alternative third-party stores, file sharing websites or torrents and other P2P file sharing networks increases the risk of exposure to malware. This is the first cause of infection for Mac OS X users that wrongly consider their system immune from cyber attacks.
Another factor to consider is the attack chain of the recent cases. A threat actor compromises a victim’s machine (i.e. desktop and laptop) to later infect connected mobile devices.
“WireLurker showed us how the infection can move from your Mac to your iPhone,” state the experts at Kaspersky.
The attacks are becoming even more sophisticated and it is necessary to share information on the tactics, techniques and procedures (TTPs) adopted by principal criminal crews to reduce the risk of infection. Let me close the report by providing the indicators of compromise published by the researchers at Kaspersky Lab, who shared this precious information to avoid the diffusion of the infection.
Indicators of compromise
Command and Control servers